A related thing to consider is firewalling the Workstation by default. Are there programs that listen, out of the box? What needs to be done if anything?
https://www.cypherpunk.at/onioncat_trac/wiki/Security
Running OnionCat basically means connecting your computer to an additional network. Thus, one runs into similar troubles as if connecting the computer to the Internet. Hence, all rules for computer security apply as they do for systems connected to the Internet.…
Before running OnionCat, all local services should be bound to specific IP addresses. Usually this is the official IPv4 address, but it is generally a good idea to bind also to the IPv4 localhost address (127.0.0.1) and the IPv6 localhost address (::1). Most services bind to any IP address of a system by default. Following are some popular examples.
sshd: edit the configuration file (usually /etc/ssh/sshd_config) and set options ListenAdress. lighttpd: edit the configuration file /etc/lighttpd/lighttpd and set options server.bind. apache2: edit configuration file /etc/apache2/httpd.conf and set the option Listen. sendmail: edit configuration file /etc/mail/sendmail.mc and add DAEMON_OPTIONS(`Port=smtp,Addr=<IP-adress>, Name=MTA’).If possible, packet forwarding should be disabled. On Linux this is done by setting net.ipv4.conf.all.forwarding and net.ipv6.conf.all.forwarding to 0 using sysctl. On OpenBSD this is done by setting the kernel variables net.inet.ip.forwarding and net.inet6.ip6.forwarding to 0.
Use a firewall to block traffic incoming on the tunnel device. You should make sure that the firewall supports also IPv6.